Thinking Outside the Bits

 
 
By Peter Coffee  |  Posted 2006-10-16 Email Print this article Print
 
 
 
 
 
 
 

Opinion: Surety and PGP aid developers in getting a bigger picture of info assurance.

The dominant theme of data protection discussions is one of preserving secrets. Much less attention gets paid to the problem of ensuring datas availability—not to mention verifiability—rather than limiting it. I spoke this month with representatives of Surety about their technology for addressing all four elements of affirmative data access management: confidentiality, authentication, integrity and nonrepudiation.

Surety describes its product as "trusted time-stamp service"—which is sort of like calling a Porsche Carrera "personal transportation." The companys AbsoluteProof service offers its own four-point list of key criteria for data assurance that people will actually use: "independent, portable, persistent and transparent." The service is independent of the party that has a stake in proving a data items attributes; the authentication can travel with the data and be verified by the recipient; the verification is durable, and the use of the technology can be made invisible to the user.

For anyone who actually knows anything about encryption technology and practice, I hardly need to say anything more about Suretys ideas: The concept isnt nearly as hard to grasp as, say, string theory. In crypto, the critical thing these days is less often the concept than the implementation. As noted in eWEEK.coms widely viewed slide show, "The Dirty Dozen IT Embarrassments," even something as simple as correctly seeding a random number generator may be the difference between potential and actual crypto strength.

Thats why I was struck, in particular, by one element of Suretys approach. The company periodically publishes a hash value, as plain old text in a classified ad in The New York Times, that reliably demonstrates the integrity of its entire process. This is a rare concrete example of the often vacuous phrase, "thinking outside the box"—which brings to most peoples minds, I suspect, an image of climbing out of a metaphorical box of confined perceptions, but which most likely derives from the famous puzzle of the nine dots.

The paradox of most digital systems is that people try to use the system, or a parallel system with shared failure modes, to monitor and maintain function: a proposition that has a certain hall-of-mirrors paradoxical feel, and that leads to painful calculations of just how much safety is needed -- and how much its worth to achieve that level of protection. Surety jumps out of that self-referential paradox by using another medium, one with completely different failure modes, as an outside check on its process. Well done.

Also helping developers to avoid getting boxed in by data assurance difficulties is PGP Corporation, with its announcement this month of a massive portfolio of updates to its encryption product line—with a general theme (its always wrong to generalize) of making enterprise encryption more of a unified environment rather than a cobbled-up collection of separate tools and doctrines. Theres not much more that I can say thats not addressed in my August interview with PGP director of product management John Dasher, but theres more from PGP at its site.

Tell me what kinds of assurance you wish you could get at peter_coffee@ziffdavis.com

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel